In J2EE and .NET roles are assigned to methods using external configuration files, called the deployment descriptors. Assigning roles to methods, although conceptually simple, in practice it is quite complicated. For instance, in order for a deployer to assign a role r to a method m, the deployer must understand the set of roles R that are assigned to each method n that can be invoked directly or indirectly from m, and that r has to be "consistently" assigned with respect R. Understanding such role consistency is a non-trivial task. Also, in J2EE roles are defined with respect to method access and not data access. Therefore, in order to protect sensitive data, one has to encode data access control using method access control. This can lead to interesting and subtle access control problems when accessing sensitive data, including information leakage through data flow from one method to another.In this paper we focus on data-centric security by presenting two concepts: Role Analysis: We present a simple interprocedural static analysis for detecting security problems when objects are accessed by multiple methods that do not have compatible or consistent assignment of roles. We then introduce the notion of an object "escaping" a role and present a simple interprocedural static analysis for computing the set of objects that may escape a role. Consistency-Based Security and Role Typestates: We extend J2EE method-based role assignment to consistency-based role assignment. In this paper we will focus on assigning roles to typestates rather than methods.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Eric Armstrong, Jennifer Ball, Stephanie Bodoff, Debbie Bode Carson, Ian Evans, Dale Green, Kim Haase, and Eric Jendrock. The J2EE 1.4 Tutorial. Sun Java System Application Server Platform Edition, 2005.
	2	Anindya Banerjee , David A. Naumann, Representation independence, confinement and access control [extended abstract], Proceedings of the 29th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, p.166-177, January 16-18, 2002, Portland, Oregon
	3	Anindya Banerjee , David A. Naumann, Secure Information Flow and Pointer Confinement in a Java-like Language, Proceedings of the 15th IEEE Computer Security Foundations Workshop (CSFW'02), p.253, June 24-26, 2002
	4	Anindya Banerjee , David A. Naumann, Stack-based access control and secure information flow, Journal of Functional Programming, v.15 n.2, p.131-177, March 2005  [doi>10.1017/S0956796804005453]
	5	D. E. Bell and L. J. LaPadula. Secure computer system: unified exposition and multics interpretation. Technical Report MTR-2997, MITRE Corporation, March 1976.
	6	Bruno Blanchet, Escape analysis for object-oriented languages: application to Java, Proceedings of the 14th ACM SIGPLAN conference on Object-oriented programming, systems, languages, and applications, p.20-34, November 01-05, 1999, Denver, Colorado, United States
	7	Jong-Deok Choi , Manish Gupta , Mauricio Serrano , Vugranam C. Sreedhar , Sam Midkiff, Escape analysis for Java, Proceedings of the 14th ACM SIGPLAN conference on Object-oriented programming, systems, languages, and applications, p.1-19, November 01-05, 1999, Denver, Colorado, United States
	8	R. DeLine and M. Fahndrich. Typestates for objects. In 18th European Conference on Object-Oriented Programming, 2004.
	9	David F. Ferraiolo and D. Richard Kuhn. Role-based access controls. In 15th NIST-NCSC National Computer Security Conference, pages 554--563, Baltimore, MD, USA, October 1992.
	10	David F. Ferraiolo , Ravi Sandhu , Serban Gavrila , D. Richard Kuhn , Ramaswamy Chandramouli, Proposed NIST standard for role-based access control, ACM Transactions on Information and System Security (TISSEC), v.4 n.3, p.224-274, August 2001  [doi>10.1145/501978.501980]
	11	Elena Ferrari and Bhavani Thuraisingam. Web and Information Security. Idea Group Publishing, 2006.
	12	Frédéric Vivien , Martin Rinard, Incrementalized pointer and escape analysis, Proceedings of the ACM SIGPLAN 2001 conference on Programming language design and implementation, p.35-46, June 2001, Snowbird, Utah, United States
	13	Erich Gamma , Richard Helm , Ralph Johnson , John Vlissides, Design patterns: elements of reusable object-oriented software, Addison-Wesley Longman Publishing Co., Inc., Boston, MA, 1995
	14	David Grove , Craig Chambers, A framework for call graph construction algorithms, ACM Transactions on Programming Languages and Systems (TOPLAS), v.23 n.6, p.685-746, November 2001  [doi>10.1145/506315.506316]
	15	Michael Hind, Pointer analysis: haven't we solved this problem yet?, Proceedings of the 2001 ACM SIGPLAN-SIGSOFT workshop on Program analysis for software tools and engineering, p.54-61, June 2001, Snowbird, Utah, United States  [doi>10.1145/379605.379665]
	16	Patrick Lam , Viktor Kuncak , Martin Rinard, Generalized typestate checking using set interfaces and pluggable analyses, ACM SIGPLAN Notices, v.39 n.3, March 2004  [doi>10.1145/981009.981016]
	17	Brian A. LaMacchia, Sebastian Lange, Matthew Lyons, Rudi Martin, and Kevin T. Price. .NET Framework Security . Pearson Education, 2002.
	18	Ninghui Li , Mahesh V. Tripunitara, Security analysis in role-based access control, Proceedings of the ninth ACM symposium on Access control models and technologies, June 02-04, 2004, Yorktown Heights, New York, USA  [doi>10.1145/990036.990058]
	19	V. Benjamin Livshits and Monica S. Lam. Finding security vulnerabilities in java applications with static analysis. In Proceedings of the 14th USENIX Security Symposium, 2005.
	20	Gleb Naumovich and Paolina Centonze. Static Analysis of Role-Based Access Control in J2EE Applications. In Workshop on testing, analysis and verification of web services, pages 1--10, New York, NY, USA, 2004. ACM Press.
	21	Flemming Nielson , Hanne R. Nielson , Chris Hankin, Principles of Program Analysis, Springer-Verlag New York, Inc., Secaucus, NJ, 1999
	22	Sylvia Osborn , Ravi Sandhu , Qamar Munawer, Configuring role-based access control to enforce mandatory and discretionary access control policies, ACM Transactions on Information and System Security (TISSEC), v.3 n.2, p.85-106, May 2000  [doi>10.1145/354876.354878]
	23	Young Gil Park , Benjamin Goldberg, Escape analysis on lists, Proceedings of the ACM SIGPLAN 1992 conference on Programming language design and implementation, p.116-127, June 15-19, 1992, San Francisco, California, United States
	24	Marco Pistoia, Robert J. Flynn, Larry Koved, and Vugranam C. Sreedhar. Interprocedural analysis for privileged code placement and tainted variable detection. In 19th European Conference on Object-Oriented Programming, pages 362--386, 2005.
	25	Marco Pistoia, Vugranam Sreedhar, and Robert Flynn. Static evaluation of role-based access control policies in distributed component-based systems. Technical Report RC23836 (W0411-166), IBM TJ Watson Research Center, IBM Research Division, Yorktown, NY, November 2004.
	26	Ravi S. Sandhu , Edward J. Coyne , Hal L. Feinstein , Charles E. Youman, Role-Based Access Control Models, Computer, v.29 n.2, p.38-47, February 1996  [doi>10.1109/2.485845]
	27	R E Strom , S Yemini, Typestate: A programming language concept for enhancing software reliability, IEEE Transactions on Software Engineering, v.12 n.1, p.157-171, Jan. 1986